Add option to disable owner email address in CSR subject (#939)

docs/administration.rst

@@ -83,6 +83,12 @@ Basic Configuration
         Take care to write patterns in such way to not allow the `*` wildcard character inadvertently. To match a `.`
         character, it must be escaped (as `\.`).
 
+.. data:: LEMUR_OWNER_EMAIL_IN_SUBJECT
+    :noindex:
+
+        By default, Lemur will add the certificate owner's email address to certificate subject (for CAs that allow it).
+        Set this to `False` to disable this.
+
 .. data:: LEMUR_TOKEN_SECRET
     :noindex:
 

lemur/certificates/service.py

@@ -344,8 +344,9 @@ def create_csr(**csr_config):
     private_key = generate_private_key(csr_config.get('key_type'))
 
     builder = x509.CertificateSigningRequestBuilder()
-    name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name']),
+    name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name'])]
-                 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config['owner'])]
+    if current_app.config.get('LEMUR_OWNER_EMAIL_IN_SUBJECT', True):
+        name_list.append(x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config['owner']))
     if 'organization' in csr_config and csr_config['organization'].strip():
         name_list.append(x509.NameAttribute(x509.OID_ORGANIZATION_NAME, csr_config['organization']))
     if 'organizational_unit' in csr_config and csr_config['organizational_unit'].strip():